Once you have the thumbprint, you can use it as input to the Enable-ExchangeCertificate
task. You'll need to specify the thumbprint and the services you want to use.
For example,
Enable-ExchangeCertificate –thumbprint A922380
5480A3A89943A6D834E5EB391A50CFD7A –services
"IMAP,POP"
will make the certificate with the specified thumbprint available for use with
IMAP and POP without changing the certificate bindings for unified messaging,
IIS, or SMTP. You can change certificate bindings at any time.
Control User Access
You can control which users have access to IMAP and POP by using the Set-CASMailbox
task in Exchange Management Shell. The RTM version of Exchange 2007 doesn't
have a way to enable or disable access to these protocols from within Exchange
Management Console, which is a downgrade from Exchange 2003. However, Set-CASMailbox
has a major benefit: It's easy to change settings on groups of users by using
the Get-DistributionGroupMembership task, which works only with mail-enabled
distribution or universal security groups. By using that task and piping its
output to Set-CASMailbox, you can quickly grant or deny POP or IMAP access to
groups of users. For example,
Get-DistributionGroupMembership "Field
Engineers" | Set-CASMailbox –IMAPEnabled $true –POPEnabled $false
will enable IMAP and disable POP for all your field engineers. You can also
use Set-CASMailbox on individual mailboxes. Thus,
Set-CASMailbox "Robichaux\paulr" –
IMAPEnabled $true
will turn on IMAP for only my mailbox. Interestingly, the built-in administrator
account is explicitly blocked from using IMAP and POP.
Set Options on IMAP and POP Servers
IMAP and POP servers have options that you can configure to control how users
interact with the servers and what features are available. These features are
described in the Exchange 2007 documentation for the GetIMAPServer and Get-POPServer
Exchange Management Console tasks. Many of these settings have counterparts
in Exchange 2003, but some either aren't adjustable in earlier versions or require
editing the metabase or registry instead of making a straightforward configuration
change.
For example, you can set the banner that the service displays when a client
connects by using the Banner switch, like this:
Get-IMAPSettings | Set-IMAPSettings –banner
"Welcome to my IMAP server"
Notice that this example used Get-IMAPSettings to get the IMAP instance for
a single server, then piped the results to Set-IMAPSettings to apply the same
settings plus a single change on that instance. You can also modify settings
on individual servers by specifying the server name (assuming you know it, or
can find it).
You might consider changing three other options under some conditions:
- The LoginType switch controls the authentication methods users can use
to log on to the server. By default, the switch is set to use secure logon
with NTLM or Kerberos first. You can set this switch to 1 (for plain-text
only logons, which pass the credentials in plain text) or 2 (for plain-text
authentication, using obfuscation to hide the credentials). It's a good idea
to leave this setting at its default and change your clients to require secure
authentication if possible.
- The MaxConnections switch controls how many connections the server will
accept at once. The default, 2000, is generous. You might want to consider
reducing the number if you don't have many POP or IMAP users.
- The MaxConnectionsFromSingleIP setting controls how many simultaneous connections
are allowed from a single client IP. The default of 20 is adequate for most
situations, although you might need to allow more connections if you have
clients who are behind a firewall that uses Network Address Translation (NAT)
and thus appear to Exchange to have only 1 IP address between them.
Specify Port Numbers
Another common configuration change that administrators make to IMAP and POP
servers is to the default set of ports the protocols use. Some administrators
view this as a security measure (although it's more of an obscurity measure),
whereas others want to change the standard port numbers to provide interoperability
or consistency with past deployments. You do this by using two switches:
- UnencryptedOrTLSBindings sets the port number for unencrypted connections
or connections that use the Transport Layer Security (TLS) protocol.
- SSLBindings controls the port number for SSL-protected connections.
You can set these switches independently of each other and independently on
each service. However, if you do change the switches, remember that your mail
clients will have to be configured to use the correct port numbers.
Proxy Access
In Exchange 2003 and 2000, a front-end server would automatically proxy IMAP
and POP traffic. In Exchange 2007, the proxy mechanism is slightly different;
the client access server still proxies IMAP and POP access, but you can control
whether the client access server is allowed to send proxy requests to Exchange
2003 mailbox servers. Doing so lets you use the CAS to hit both Exchange 2007
and Exchange 2003 mailboxes through POP or IMAP, which is useful if you want
to restrict users with Exchange 2003 mailboxes to accessing those mailboxes
through an existing Exchange 2003 server. You'll also need to understand the
proxy mechanism if your Exchange 2003 servers are using non-standard ports for
IMAP or POP.
Register
